Mysidia Adoptables Support Forum  

Home Community Mys-Script Creative Off-Topic
Go Back   Mysidia Adoptables Support Forum > Mysidia Adoptables > Addons and Modifications > Addons/Mods Graveyard

Notices

Closed Thread
 
Thread Tools Display Modes
  #11  
Old 04-02-2009, 12:11 AM
Seapyramid Seapyramid is offline
Premium Member
 
Join Date: Feb 2009
Posts: 373
Gender: Female
Credits: 18,120
Seapyramid
Default RE: Rename adoptables (Updated!!)

*****CAUTION********
I used this today.. worked great.. went out, .. came home.., GREY SCREEN!! I call my host for that site & asked.. they found a hack entry from the script!! They fixed the issue on ALL pages & emailed me some info on protection. I will read the email in the morning & give for info. But there is a security issue in the mod.

Sea
  #12  
Old 04-02-2009, 11:00 AM
Rsmiley Rsmiley is offline
Member
 
Join Date: May 2008
Posts: 90
Credits: 5,230
Rsmiley
Default RE: Rename adoptables (Updated!!)

It doesnt filter for SQL injections i bet...
  #13  
Old 04-02-2009, 02:29 PM
kisazeky kisazeky is offline
Member
 
Join Date: Mar 2009
Posts: 44
Credits: 22,703
kisazeky
Default RE: Rename adoptables (Updated!!)

I included this

PHP Code:
$id $_POST["id"];
$id preg_replace("/[^a-zA-Z0-9s]/"""$id);
$newname $_POST["newname"];
$newname preg_replace("/[^a-zA-Z0-9\\040.]/"""$newname); 
What do I need to include to filter these injections, Rsmiley?

Edit: Maybe this will protect it?

Adding this to functions.php:

PHP Code:
function cleanQuery($string)
{
  if(
get_magic_quotes_gpc())  // prevents duplicate backslashes
  
{
    
$string stripslashes($string);
  }
  if (
phpversion() >= '4.3.0')
  {
    
$string mysql_real_escape_string($string);
  }
  else
  {
    
$string mysql_escape_string($string);
  }
  return 
$string;

Then adding this line in rename2.php:

PHP Code:
if (isset($_POST['newname'])) $newname cleanQuery($_POST['newname']); 

What do you think Rsmiley?

It certainly does not hurt anything.
  #14  
Old 04-02-2009, 09:34 PM
Rsmiley Rsmiley is offline
Member
 
Join Date: May 2008
Posts: 90
Credits: 5,230
Rsmiley
Default RE: Rename adoptables (Updated!!)

It should be quite secure. I doubt it would be exploitable after that has been added.

You are safe with that added
  #15  
Old 04-03-2009, 04:58 AM
Ashje Ashje is offline
Member
 
Join Date: Jan 2009
Posts: 179
Credits: 12,703
Ashje
Default RE: Rename adoptables (Updated!!)

Quote:
Originally Posted by kisazeky
I included this

PHP Code:
$id $_POST["id"];
$id preg_replace("/[^a-zA-Z0-9s]/"""$id);
$newname $_POST["newname"];
$newname preg_replace("/[^a-zA-Z0-9\\040.]/"""$newname); 
What do I need to include to filter these injections, Rsmiley?

Edit: Maybe this will protect it?

Adding this to functions.php:

PHP Code:
function cleanQuery($string)
{
  if(
get_magic_quotes_gpc())  // prevents duplicate backslashes
  
{
    
$string stripslashes($string);
  }
  if (
phpversion() >= '4.3.0')
  {
    
$string mysql_real_escape_string($string);
  }
  else
  {
    
$string mysql_escape_string($string);
  }
  return 
$string;

Then adding this line in rename2.php:

PHP Code:
if (isset($_POST['newname'])) $newname cleanQuery($_POST['newname']); 

What do you think Rsmiley?

It certainly does not hurt anything.
EDIT: I'm assuming that
PHP Code:
if (isset($_POST['newname'])) $newname cleanQuery($_POST['newname']); 
goes here:
Code:
$newname = $_POST["newname"];
but I get this error: "
PHP Error Message

Parse error: syntax error, unexpected T_IF in /home/---------/public_html/rename2.php on line 78

Free Web Hosting"
  #16  
Old 04-03-2009, 03:11 PM
kisazeky kisazeky is offline
Member
 
Join Date: Mar 2009
Posts: 44
Credits: 22,703
kisazeky
Default RE: Rename adoptables (Updated!!)

No, don't do that.

Add

PHP Code:
if (isset($_POST['newname'])) $newname cleanQuery($_POST['newname']); 
below

PHP Code:
$newname $_POST["newname"]; 
Edit: Wait a minute, I just realized. Rusnak had the post data things before the connect to database script. That makes sense, hijackers can't input manipulative data if they don't have access to the database yet.
  #17  
Old 04-03-2009, 05:30 PM
Ashje Ashje is offline
Member
 
Join Date: Jan 2009
Posts: 179
Credits: 12,703
Ashje
Default RE: Rename adoptables (Security issue fixed!)

^
All done, thanks =)
  #18  
Old 04-03-2009, 08:05 PM
Seapyramid Seapyramid is offline
Premium Member
 
Join Date: Feb 2009
Posts: 373
Gender: Female
Credits: 18,120
Seapyramid
Default RE: Rename adoptables (Security issue fixed!)

Cool :) Thanks for the fix
:)
Sea

***EDIT***
**FYI**
This is an edit just because I do tend to hear things. I have just heard a rumor that Soleria stole code, just because they used this script without changing the Digimon reference. I corrected the person before they took this rumor further, but that is how easy rumors can start in this field. So please make sure you offer generic scripts & those using the scripts make sure you check them for issues like this.

Sea
  #19  
Old 04-04-2009, 05:39 PM
kisazeky kisazeky is offline
Member
 
Join Date: Mar 2009
Posts: 44
Credits: 22,703
kisazeky
Default RE: Rename adoptables (Security issue fixed!)

Yes I did change this to be more generic.
  #20  
Old 04-04-2009, 10:42 PM
Seapyramid Seapyramid is offline
Premium Member
 
Join Date: Feb 2009
Posts: 373
Gender: Female
Credits: 18,120
Seapyramid
Default RE: Rename adoptables (Security issue fixed!)

I'm sorry Kisazeky, when I said "you" I really didn't mean YOU. I know you had made the change to be more generic. :) I was just meaning "you" in general to anyone who might offer a script or design so that some unsuspecting site didn't get in trouble for something they didn't do. :)

Sea
Closed Thread


Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Mysidia Adoptables v1.3.4[Security Release] Hall of Famer Mysidia Adoptables Official Announcement 77 08-20-2020 03:58 PM
Mysidia Adoptables v1.3.1[Security Release] Hall of Famer Mysidia Adoptables Official Announcement 109 08-24-2012 05:50 AM
Mysidia Adoptables v1.3.0[Security Release] Hall of Famer Mysidia Adoptables Official Announcement 180 04-01-2012 11:16 PM
Mysidia Adoptables v1.2.3[Security Release] Hall of Famer Mysidia Adoptables Official Announcement 38 10-29-2011 01:26 PM
Opinions and Suggestions (Security issue inside) nobackseat Feedback and Suggestions 13 02-07-2011 01:17 AM


All times are GMT -5. The time now is 07:42 PM.

Currently Active Users: 677 (0 members and 677 guests)
Threads: 4,081, Posts: 32,032, Members: 2,016
Welcome to our newest members, jolob.
BETA





What's New?

What's Hot?

What's Popular?


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
vBCommerce I v2.0.0 Gold ©2010, PixelFX Studios
vBCredits I v2.0.0 Gold ©2010, PixelFX Studios
Emoticons by darkmoon3636